The US Cybersecurity and Infrastructure Agency (CISA) is warning admins that a Microsoft SharePoint Server flaw is now being actively exploited in the wild.
In a new addition to its Known Exploited Vulnerabilities (KEV) catalog, CISA says CVE202329357 is being used to gain elevated privileges.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it noted.
Microsoft described the vulnerability as a privilege escalation flaw and patched it with the June 2023 Patch Tuesday cumulative update.
“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said. “The attacker needs no privileges nor does the user need to perform any action.”
As per TheHackerNews, security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG showed the vulnerability in action at the Pwn2Own Vancouver hacking contest and earned $100,000 in prize money. He chained the flaw with CVE202324955 (patched in May this year), and gained remote code execution capabilities on an infected endpoint.
The latter had a severity score of 7.2.
CISA did not share more details in its alert, so we don’t know who the threat actors are, or who they’re targeting, other than the fact that the victims could be Federal organizations. “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” the organization concluded.